Twenty-four hours isn't much time to absorb the gargantuan 1,500 pages that comprise the just-released final privacy rules of the Health Insurance Portability and Accountability Act (HIPPA). But considering the massive impact they'll have on U.S. healthcare beginning in 2002, a couple of brave lawyers were willing to stay up late Wednesday night to evaluate them.
Their verdict: Should these rules go unchallenged, their effect could be so burdensome as to wipe out any potential cost savings HIPAA might have produced.
The new privacy rules join the standard electronic transactions finalized last year as finished pieces of the multipart HIPAA legislation. Still to come are security rules that govern data transmission, use, and storage. There's also a section on healthcare identifiers -- fine for institutions but controversial for individuals. The security rules, which necessarily overlap somewhat with the privacy rules, will likely be released in the next three to four months.
The original goal was simple: to ensure that patient information remains private as more health information is transmitted electronically. But instead, complex and confusing regulations have been created that are unworkable despite their laudable goals, according to attorney Alan Goldberg from the Boston law firm of Goulston & Storrs.
"The dilemma is that healthcare is too big, too complex and too active a part of our national economy and, indeed, of our lives, to submit to the notion of a uniform and practical solution to the supposed privacy crisis.
"When all of this rulemaking finds its way down to the bottom of the healthcare food chain, those having to understand the rules won't; those having to implement the rules will need substantial time and resources not now available; and those seeking the benefit of the rules will grow increasingly frustrated and ultimately, perhaps, realize that the ideal and the reality are worlds apart," he wrote.
The final privacy rules released by the Department of Health and Human Services (DHHS) differ substantially from the proposed rules published last year. In general the effect of more than 52,000 public comments DHHS received has made the final rules far more restrictive.
For example, the proposed rules covered all electronic records, as well as paper records that were electronic at some point -- whereas the final rules cover all electronic, paper, and oral health information. In announcing the rules, DHHS Secretary Donna Shalala called protection of all records "the most logical, workable and understandable approach for patients and providers alike."
The proposed rules were also strengthened with regard to patient consent requirements for routine use of so-called protected health information (PHI) in treatment, payment and operations, the least-scrutinized categories of information under the rules. The proposal required no patient consent for treatment, payment and operations, but a groundswell of public support convinced DHHS to add the consent requirement to the final rules, said Kristen Rosati, a healthcare attorney with Coppersmith Gordon Schermer Owens & Nelson PLC of Phoenix.
"When DHHS put out the proposed regulations for comment, they were deluged with comments from patient privacy advocates saying that [providers] already get consent as a condition of treatment," she said -- like when you go to the doctors office and sign a form that says they'll use your information for treatment, and then submit the information to the health insurance plan."
The rules cover the internal use of information, as well as disclosure of information outside of an institution. Under the final rules, whoever is treating the patient will need consent to use the patient's health information -- even if it's already in the hospital information system, Rosati said. She cautioned that her review was still preliminary, however, and that she was unsure of just how frequently or extensively patient consent would be required within a single organization. And there are exceptions to the consent requirement, she said.
"Where consent is required for treatment, it's not required for emergencies, but it’s not very clear [under the rules] what 'emergency' means," Rosati said.
Next page: Consent and authorization
1,2
Copyright © 2000 AuntMinnie.com
